Power User: Security trumps backward compatibility

By John McCormick

Jun 18, 2004

John McCormick

Government agencies are seldom in the forefront when a new operating system comes along, and that's good sense. The only time I risk installing brand-new software is when I'm being paid to evaluate it.

Now that it's been out a while, many agencies have migrated to Microsoft Windows XP Professional, and many more will do so after the latest service pack comes out'perhaps before you read this.

XP Pro made a few minor security improvements compared with Windows 2000, such as a mini-firewall'the Internet Connection Firewall. But ICF didn't come turned on by default, and Microsoft Corp. drew much criticism for its weakly secured system software.

Windows Server 2003 was more secure, but it's not for the desktop systems where so many malware threats sneak in.

Rather than try to secure Win 2000, Microsoft made a major effort to fix the holes in XP Pro. It will soon bear fruit with the release of Service Pack 2.

XP SP2 turns the ICF on by default, a minor advance. Managers will be pleased that Windows Messenger for time-wasting instant messages is now disabled by default. And all users will rejoice that a pop-up ad blocker in the beta version is likely to be turned on by default in the final version.

Far more importantly, workstations with Intel Itanium or Advanced Micro Devices K8 processors will see a big security improvement because SP2 supports the little-known NX command in those processors. NX, or no execute, is a hardware lock for certain memory areas that will prevent malware from using buffer overruns to plant executable code.

The buffer overruns will still exist, but the code simply won't execute in NX-protected memory and therefore becomes relatively harmless. Future processors are likely to support NX, too.

Protecting your ports

Port management will change drastically under SP2. Applications under XP now open whatever ports they need and are supposed to close them when finished. If developers forget to pay attention to this little detail or a program happens to crash, the ports are left wide open to attack.

XP SP2 has an administrator-level white list that transfers port management for apps such as peer-to-peer utilities to the OS. Many programs that would normally need administrative privileges to open ports in ICF can now run at a lower privilege level.

Refined control over remote procedure calls will let administrators decide exactly which privileges to grant to keep RPC services operating. Used properly, that alone should mitigate Trojan horse attacks.

Altogether, the addition of support for the NX command, automated port management and granular control for remote calls should harden XP Pro into a very attractive operating system.

The improvements might even encourage some agencies to switch from Windows 2000 to XP, but there is a downside. Microsoft has shifted its emphasis from backward compatibility to security.

A lot of the historic security problems with Microsoft code have resulted from its support for legacy applications. Many security experts have said the only answer is to leave behind the poor programming practices permitted by legacy operating systems.

Remote procedure calls remain a major security threat because they open so many ports. There are literally dozens of RPC services running on most XP installations. SP2 will stop that and will therefore cause compatibility problems.

Also, the port management improvements will require apps that don't use stateful filtering to be placed on the white list. Otherwise they won't work.

And, because ICF will be enabled by default, any IP version 4 application using inbound connections for audio and video, such as Messenger, will need changes to its underlying code.

Services that listen on fixed ports should prompt administrators to decide whether those services should be permitted to open the ports within ICF and, if so, to alter the ICF rules using the INetFwV4OpenPort application programming interface.

The bottom line: SP2 will greatly boost security, but it will also aggravate problems with legacy applications. Some experts estimate that one legacy app in 10 will encounter trouble after the upgrade. And some applications might have to be recoded. Knowing that these changes are coming should help administrators prepare.

Securing the desktop will still be an administrative responsibility, but at least XP SP2 will have more tools to plug the holes we already knew about.

Until SP2 is released, you can download a final beta version, from /www.microsoft.com, by searching for XP SP2.

John McCormick is a free-lance writer and computer consultant. E-mail him at powerusr@yahoo.com.